{"result": {"cve": [{"id": "CVE-2004-2130", "type": "cve", "title": "CVE-2004-2130", "description": "Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary script or HTML via the (1) folder or (2) mode variables.", "published": "2004-12-23T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2130", "cvelist": ["CVE-2004-2130"], "lastseen": "2017-04-18T15:50:46"}], "osvdb": [{"id": "OSVDB:8165", "type": "osvdb", "title": "phpBB privmsg.php mode Variable XSS", "description": "## Vulnerability Description\nphpBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user-supplied input in the 'privmsg.php' script using the 'mode' parameter. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Technical Description\nIf gpc magic quotes is turned off in the 'php.ini' configuration file, the '/phpBB2/privmsg.php' script does not properly validate user-supplied input in the 'search_author' field.\n\nA remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the phpBB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.\n## Solution Description\nUpgrade to phpBB version 2.0.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nphpBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user-supplied input in the 'privmsg.php' script using the 'mode' parameter. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[victim]/phpBB2/privmsg.php?mode=foobar%0d%0aContent-Length:%200%0d%0a%0d\n%0aHTTP/1.0%20200%20OK%0d%0aContent-Length:%207%0d%0a%0d%0aGotcha!\n## References:\nVendor URL: http://www.phpbb.com\n[Secunia Advisory ID:12114](https://secuniaresearch.flexerasoftware.com/advisories/12114/)\n[Related OSVDB ID: 8166](https://vulners.com/osvdb/OSVDB:8166)\n[Related OSVDB ID: 8164](https://vulners.com/osvdb/OSVDB:8164)\n[CVE-2004-2130](https://vulners.com/cve/CVE-2004-2130)\n", "published": "2004-07-22T03:16:32", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:8165", "cvelist": ["CVE-2004-2130"], "lastseen": "2017-04-28T13:20:03"}], "exploitdb": [{"id": "EDB-ID:23475", "type": "exploitdb", "title": "phpBB 2.0.6 - Privmsg.PHP Cross-Site Scripting Vulnerability", "description": "phpBB 2.0.6 Privmsg.PHP Cross-Site Scripting Vulnerability. CVE-2004-2130. Webapps exploit for php platform", "published": "2003-12-23T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/23475/", "cvelist": ["CVE-2004-2130"], "lastseen": "2016-02-02T21:05:18"}]}}